Loading…
AppSec Europe 2016 has ended
Back To Schedule
Thursday, June 30 • 10:20 - 11:05
Framework Security: Have You Hugged A Developer Today?

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Tweet Share
For years security nerds like us have been saying the same thing: It’s *your* problem. Integrate security awareness throughout your SDLC, educate your developers, hire us at some expense to come in and tell you the same annually. Ultimately relying on developers to be infallible is an expensive loosing proposition. 

We’d like to present a different idea: It's our problem. Writing secure software shouldn't require developers to become security specialists. At Immunio we've been working on ways of modifying application frameworks to defend against common vulnerabilities automatically. We're trying to remove some of the burden on developers and make security a fundamental part of the stack. 

In this presentation we'll share with you our experiences extending these frameworks and discuss some of the strategies we've taken that have worked, the challenges we've had to face, and how a simple change of approach could change application security. 

Outline: 

- Introduction 
- The Problem: Frameworks make coding easy and security hard 
- Example: Rails helpers and safe_buffers 
- Example: Rails directory traversal 
- Application Defense In Depth 
- The trouble with WAFs 
- Security is a framework responsability 
- Perfect Code is a Pipe Dream 
- State Makes Hard Problems Easy(ish) 
- Today Security is an Afterthought 
- Building Self-Defending Frameworks 
- Problem: Command and Control 
- Everything You Know About XSS Defense Is Wrong 
- ESAPI is Crapy 
- HTML Is Machine Readable By Design! 
- Use The Source Luke! 
- Using Lexical Analysis To Escape On-the-fly 
- Lexing to Determine Context 
- Escaping 
- Problem: Application Interpolations 
- Dynamic Whitelisting 
- Problem: HTML Is a Horrible Mismash 
- Protecting Javascript 
- CSS 
- Problem: HTML Is Just Horrible 
- Browser Insanity 
- 'Developer' Insanity 
- DEMO 
- Generalizing The Approach 
- SQLi 
- Problem: String building 
- Bash 
- Everything Is Just Structured Data! 
- The Power of a Security Aware Framework 
- Attacker Identification 
- Active Response 
- Forensics 
- Conclusion 
Speakers
avatar for Oliver Lavery

Oliver Lavery

Oliver Lavery is VP of Research and Development at Immunio. He's a software developer, penetration tester, and consultant with over 15 years of experience in the industry. When not coming up with defensive algorithms, he enjoys making kernels involuntarily do his bidding, breaking... Read More →

Thursday June 30, 2016 10:20 - 11:05 CEST
Room A (Michelangelo Ballroom Sect. 3)
  Defender

Attendees (35)